Advanced File Manager < 5.2.9 – Authenticated (Subscriber+) Arbitrary File Upload | CVE 2024-8126 | Plugin Vulnerabilities

Description

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

file-manager-advanced

Fixed in 5.2.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/801d6cde-f9c6-4e68-8bfc-ff8c0593372d

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

41c7d8f4-97f6-4af8-9134-4221a8a81d35

Timeline

Publicly Published

2024-09-25 (about 1 year ago)

Added

2024-09-26 (about 1 year ago)

Last Updated

2024-09-26 (about 1 year ago)

Other

Published

Title

Published

2024-11-25

Title

Booking calendar, Appointment Booking System < 3.2.16 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Published

2026-02-18

Title

Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.2 - Unauthenticated Limited File Upload

Published

2023-08-28

Title

Olive One Click Demo Import <= 1.1.2 - Admin+ Arbitrary File Upload

Published

2024-07-08

Title

Gutenberg Forms <= 2.2.9 - Unauthenticated Arbitrary File Upload

Published

2024-10-30

Title

Multi Purpose Mail Form <= 1.0.2 - Unauthenticated Arbitrary File Upload